From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 4 Jan 2019 18:58:48 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.9.149~69
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c013d14439c460e76aab20d29af974c793238364;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ip6mr-fix-potential-spectre-v1-vulnerability.patch
	ipv4-fix-potential-spectre-v1-vulnerability.patch
	net-core-fix-spectre-v1-vulnerability.patch
	phonet-af_phonet-fix-spectre-v1-vulnerability.patch
---

diff --git a/queue-4.14/ip6mr-fix-potential-spectre-v1-vulnerability.patch b/queue-4.14/ip6mr-fix-potential-spectre-v1-vulnerability.patch
new file mode 100644
index 00000000000..74883ad0962
--- /dev/null
+++ b/queue-4.14/ip6mr-fix-potential-spectre-v1-vulnerability.patch
@@ -0,0 +1,59 @@
+From foo@baz Fri Jan  4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 11 Dec 2018 14:10:08 -0600
+Subject: ip6mr: Fix potential Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 69d2c86766da2ded2b70281f1bf242cb0d58a778 ]
+
+vr.mifi is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/ipv6/ip6mr.c:1845 ip6mr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+net/ipv6/ip6mr.c:1919 ip6mr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+
+Fix this by sanitizing vr.mifi before using it to index mrt->vif_table'
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -72,6 +72,8 @@ struct mr6_table {
+ #endif
+ };
+ 
++#include <linux/nospec.h>
++
+ struct ip6mr_rule {
+ 	struct fib_rule		common;
+ };
+@@ -1883,6 +1885,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd
+ 			return -EFAULT;
+ 		if (vr.mifi >= mrt->maxvif)
+ 			return -EINVAL;
++		vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ 		read_lock(&mrt_lock);
+ 		vif = &mrt->vif6_table[vr.mifi];
+ 		if (MIF_EXISTS(mrt, vr.mifi)) {
+@@ -1957,6 +1960,7 @@ int ip6mr_compat_ioctl(struct sock *sk,
+ 			return -EFAULT;
+ 		if (vr.mifi >= mrt->maxvif)
+ 			return -EINVAL;
++		vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ 		read_lock(&mrt_lock);
+ 		vif = &mrt->vif6_table[vr.mifi];
+ 		if (MIF_EXISTS(mrt, vr.mifi)) {
diff --git a/queue-4.14/ipv4-fix-potential-spectre-v1-vulnerability.patch b/queue-4.14/ipv4-fix-potential-spectre-v1-vulnerability.patch
new file mode 100644
index 00000000000..c3f53466146
--- /dev/null
+++ b/queue-4.14/ipv4-fix-potential-spectre-v1-vulnerability.patch
@@ -0,0 +1,51 @@
+From foo@baz Fri Jan  4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 10 Dec 2018 12:41:24 -0600
+Subject: ipv4: Fix potential Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 5648451e30a0d13d11796574919a359025d52cce ]
+
+vr.vifi is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/ipv4/ipmr.c:1616 ipmr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+net/ipv4/ipmr.c:1690 ipmr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+
+Fix this by sanitizing vr.vifi before using it to index mrt->vif_table'
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipmr.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -68,6 +68,8 @@
+ #include <linux/netconf.h>
+ #include <net/nexthop.h>
+ 
++#include <linux/nospec.h>
++
+ struct ipmr_rule {
+ 	struct fib_rule		common;
+ };
+@@ -1620,6 +1622,7 @@ int ipmr_compat_ioctl(struct sock *sk, u
+ 			return -EFAULT;
+ 		if (vr.vifi >= mrt->maxvif)
+ 			return -EINVAL;
++		vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
+ 		read_lock(&mrt_lock);
+ 		vif = &mrt->vif_table[vr.vifi];
+ 		if (VIF_EXISTS(mrt, vr.vifi)) {
diff --git a/queue-4.14/net-core-fix-spectre-v1-vulnerability.patch b/queue-4.14/net-core-fix-spectre-v1-vulnerability.patch
new file mode 100644
index 00000000000..423a675c7c6
--- /dev/null
+++ b/queue-4.14/net-core-fix-spectre-v1-vulnerability.patch
@@ -0,0 +1,55 @@
+From foo@baz Fri Jan  4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 21 Dec 2018 14:49:01 -0600
+Subject: net: core: Fix Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 50d5258634aee2e62832aa086d2fb0de00e72b91 ]
+
+flen is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/core/filter.c:1101 bpf_check_classic() warn: potential spectre issue 'filter' [w]
+
+Fix this by sanitizing flen before using it to index filter at line 1101:
+
+	switch (filter[flen - 1].code) {
+
+and through pc at line 1040:
+
+	const struct sock_filter *ftest = &filter[pc];
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -56,6 +56,7 @@
+ #include <net/busy_poll.h>
+ #include <net/tcp.h>
+ #include <linux/bpf_trace.h>
++#include <linux/nospec.h>
+ 
+ /**
+  *	sk_filter_trim_cap - run a packet through a socket filter
+@@ -823,6 +824,7 @@ static int bpf_check_classic(const struc
+ 	bool anc_found;
+ 	int pc;
+ 
++	flen = array_index_nospec(flen, BPF_MAXINSNS + 1);
+ 	/* Check the filter code now */
+ 	for (pc = 0; pc < flen; pc++) {
+ 		const struct sock_filter *ftest = &filter[pc];
diff --git a/queue-4.14/phonet-af_phonet-fix-spectre-v1-vulnerability.patch b/queue-4.14/phonet-af_phonet-fix-spectre-v1-vulnerability.patch
new file mode 100644
index 00000000000..1c9f46336ce
--- /dev/null
+++ b/queue-4.14/phonet-af_phonet-fix-spectre-v1-vulnerability.patch
@@ -0,0 +1,50 @@
+From foo@baz Fri Jan  4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 21 Dec 2018 15:41:17 -0600
+Subject: phonet: af_phonet: Fix Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit d686026b1e6ed4ea27d630d8f54f9a694db088b2 ]
+
+protocol is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/phonet/af_phonet.c:48 phonet_proto_get() warn: potential spectre issue 'proto_tab' [w] (local cap)
+
+Fix this by sanitizing protocol before using it to index proto_tab.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/af_phonet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/phonet/af_phonet.c
++++ b/net/phonet/af_phonet.c
+@@ -34,6 +34,8 @@
+ #include <net/phonet/phonet.h>
+ #include <net/phonet/pn_dev.h>
+ 
++#include <linux/nospec.h>
++
+ /* Transport protocol registration */
+ static struct phonet_protocol *proto_tab[PHONET_NPROTO] __read_mostly;
+ 
+@@ -43,6 +45,7 @@ static struct phonet_protocol *phonet_pr
+ 
+ 	if (protocol >= PHONET_NPROTO)
+ 		return NULL;
++	protocol = array_index_nospec(protocol, PHONET_NPROTO);
+ 
+ 	rcu_read_lock();
+ 	pp = rcu_dereference(proto_tab[protocol]);
diff --git a/queue-4.14/series b/queue-4.14/series
new file mode 100644
index 00000000000..b5f60ddabe2
--- /dev/null
+++ b/queue-4.14/series
@@ -0,0 +1,4 @@
+phonet-af_phonet-fix-spectre-v1-vulnerability.patch
+net-core-fix-spectre-v1-vulnerability.patch
+ipv4-fix-potential-spectre-v1-vulnerability.patch
+ip6mr-fix-potential-spectre-v1-vulnerability.patch